Removing spyware is only half the job — if it captured your passwords, the danger lives on in your accounts until you rotate them. This is the focused guide to changing passwords correctly after an infection, in the right order.
This guide is written for everyday phone users specifically, and it’s built to be beginner-friendly: every step is numbered, every screen is illustrated, and nothing assumes you already know where a hidden menu lives. Have your phone open and work through it alongside the guide.
We’ll start with the fastest, highest-value checks and move toward the more thorough ones, so even the first few minutes are well spent. Where a real tool helps, we link straight to the official one — never a sketchy third-party site.
In short: use a clean device to change passwords, start with your email, then cascade, turn on two-factor everywhere it matters, and check sessions and recovery details. Keep reading for the click-by-click version, with an illustration at each stage.
Approach 1: Change Them Right
Every step below uses built-in settings, so there’s nothing to install. Follow them top to bottom; the illustrations point out each control you’ll need.
1Use a clean device to change passwords
Don’t change passwords on the phone that was infected until you’re sure it’s clean — ideally use a different, trusted device. Otherwise lingering spyware could capture the new passwords too.
A clean starting point is what makes the whole effort count.
Treat a scanner as a second opinion rather than the final word: it catches the known threats fast, and your own eyes on the app and permission lists catch the rest.
- Change passwords from a separate, trusted device
- Avoid the infected phone until it’s confirmed clean
2Start with your email, then cascade
Change your email password first, because it can reset every other account, then work through financial, then social and shopping accounts. Make each one new and unique.
The order matters: securing email first stops attackers using it to undo your other changes.
Once this is on, even someone who somehow learns your password is stopped at the door, because they can’t produce the second code that only reaches you.
- Change email first, then financial, then the rest
- Make each password new and unique
Approach 2: Cover the Gaps
Here’s the practical, click-by-click version. Do the steps in sequence on your own phone as you read, and let the images guide each tap.
3Turn on two-factor everywhere it matters
As you go, enable two-factor authentication on each important account, preferring an authenticator app over SMS. This ensures a captured password alone can’t get anyone in, even if you missed one.
Two-factor is the safety margin for any password that slipped through.
The codes refresh every thirty seconds and live only on your device, which is exactly why they can’t be redirected the way a text message can.
- Enable app-based two-factor on key accounts
- It covers any password you might have missed
4Check sessions and recovery details
For each account, log out unknown sessions and confirm the recovery email and phone weren’t changed by the intruder. Attackers often alter these to keep a way back in after you change the password.
Closing recovery loopholes is what makes the lockout permanent.
Removing a device you turn out to own is harmless; you simply sign in again. That makes caution the right call — when unsure, remove it.
- Log out unknown sessions; verify recovery details
- Closing recovery loopholes makes it permanent
Before You Act
- Changing passwords on a still-infected phone can hand the new ones straight back — use a clean device.
- Check recovery email and phone; an attacker may have changed them to undo your work.
Good Habits
- A password manager makes rotating to unique passwords fast and painless.
- Email first — it’s the master key that can reset all your other accounts.
Frequently Asked Questions
What order should I change them in?
Email first, since it can reset everything else, then financial accounts, then social and shopping. Enable two-factor as you go and check recovery details.
Is changing passwords enough?
Combine it with two-factor, logging out unknown sessions, and verifying recovery contacts. Spyware may have changed recovery info to retain access, so check that too.
Why change passwords from a different device?
If any spyware lingers on the infected phone, it could capture the new passwords as you type them. A clean device guarantees your new passwords aren’t immediately stolen again.
Official Tools
These first-party tools let you check and lock things down directly:
- Google Security Checkup — open it to check or manage this yourself.
- Google Authenticator — open it to check or manage this yourself.
- Gmail — open it to check or manage this yourself.
- Apple ID account page — open it to check or manage this yourself.
Take what’s useful and leave the rest for later. The goal isn’t a fortress overnight, it’s steady control — and you’ve already started just by reading this far.
Make Privacy a Habit
Catching a problem is good; preventing the next one is better. The short routine below keeps your phone genuinely hard to watch, and it takes only a few minutes a month.
Add two-factor authentication to your key accounts, starting with email, and you’ve covered the vast majority of realistic risks. Come back to the methods above any time something feels off.
Why It Matters
The reason these steps work is that they target how monitoring actually happens in practice, not the dramatic movie version. Ordinary people are followed through ordinary settings, and ordinary settings are exactly what you’ve just learned to control.
What Trips People Up
- Acting in a visible hurry when a calmer, quieter approach would be both safer and more thorough.
- Reusing the same password across accounts, so fixing one login leaves the others just as exposed.
- Leaving automatic updates off, which keeps the security holes that monitoring tools rely on wide open.
- Stopping after one step — the doors work together, so a single fix often leaves another open.
If You're Still Worried
If you’ve worked through everything and still feel watched, it’s reasonable to bring in help. A trusted person, your phone maker’s official support, or a local support service can give a second pair of eyes. And if any of this connects to feeling unsafe with someone you know, a domestic-violence support service understands technology-facilitated abuse and can help you plan.
Quick Recap
To bring it together for everyday phone users, here’s the whole process at a glance:
- Use a clean device to change passwords
- Start with your email, then cascade
- Turn on two-factor everywhere it matters
- Check sessions and recovery details
Run through it once now, and the next time will take half as long.
Extra Context
- Your email account is the master key to everything else, since it can reset most other passwords; protecting it first protects the rest by extension.
- Reusing passwords is what turns one company’s breach into your problem across many accounts, so unique passwords are less about that one site and more about containment.
- Updates are unglamorous but powerful — most sneaky monitoring leans on security holes that updates quietly close, so keeping automatic updates on does a lot of the work for you.
- A surprising amount of ‘tracking’ turns out to be a setting you switched on and forgot, not a hack — which is good news, because settings are easy to undo.
Hold onto these and the specific steps above become easier to remember, because you’ll understand the logic underneath them.